You have a firewall. You use HTTPS. You run npm audit. But if I can change the JSON payload of a “Buy” request to send price: 0.01 and your server accepts it, your firewall is useless.

Penetration Testing (Pentesting) is the discipline of adversarial engineering. It is not about “checking boxes” for compliance. It is about actively trying to destroy your own application before someone else does.

At Maison Code Paris, we see security as the ultimate form of Quality Assurance. A bug that crashes the app is annoying. A bug that leaks 10,000 customer credit cards is existential.

Why Maison Code Discusses This

At Maison Code Paris, we act as the architectural conscience for our clients. We often inherit “modern” stacks that were built without a foundational understanding of scale. We see simple APIs that take 4 seconds to respond because of N+1 query problems, and “Microservices” that cost $5,000/month in idle cloud fees.

We discuss this topic because it represents a critical pivot point in engineering maturity. Implementing this correctly differentiates a fragile MVP from a resilient, enterprise-grade platform that can handle Black Friday traffic without breaking a sweat.

The Limits of automation

Most teams run an automated scanner (like OWASP ZAP or Nessus) and think they are secure. Scanners are great at finding Syntax Errors:

SQL Injection (' OR 1=1).
XSS (<script>alert(1)</script>).
Outdated Libraries (CVE-2023-XXXX).

Scanners are terrible at finding Logic Errors:

“Can I apply the same discount code 50 times simultaneously?”
“Can I view the order history of User ID 5 if I am logged in as User ID 4?”
“Can I set the price of the item to negative?”

These are Business Logic Vulnerabilities, and they account for the majority of financial loss in modern e-commerce.

Vulnerability 1: IDOR (Insecure Direct Object Reference)

This is the most common flaw in modern APIs (GraphQL/REST). It happens when you trust the Client to tell you which resource to access, without verifying ownership.

The Attack: User A logs in. They look at the URL or Network Tab: GET /api/orders/5001 They change it to: GET /api/orders/5002

If the server returns User B’s order, you have an IDOR.

The Vulnerable Code:

// BAD: Trusting the ID provided by the user
app.get('/api/orders/:id', async (req, res) => {
  const order = await db.order.findUnique({
    where: { id: req.params.id }
  });
  res.json(order);
});

The Secure Code:

// GOOD: Scoping the query to the authenticated user
app.get('/api/orders/:id', async (req, res) => {
  const session = await getSession(req);
  const order = await db.order.findFirst({
    where: { 
      id: req.params.id,
      userId: session.userId // The Critical Check
    }
  });
  
  if (!order) return res.status(404).send("Not Found"); // Don't say "Forbidden", simply say "Not Found" to avoid leakage
  res.json(order);
});

Vulnerability 2: Race Conditions (The Coupon Hack)

Web servers are concurrent. They handle thousands of requests per second. If your database logic is not “Thread Safe” (or Transaction Safe), you are vulnerable.

The Attack:

The site sends a Promo Code: “SAVE50” (Limit 1 use per customer).
The attacker writes a script to send 50 HTTP POST requests to /apply-coupon simultaneously (within 5ms).
The Server processes Request 1: “User has used coupon? No. Apply discount.”
The Server processes Request 2 (before Request 1 commits to DB): “User has used coupon? No. Apply discount.”
Result: The user gets 50x discount. The order is free.

The Fix: Database Locking: You must use Transactions with the correct Isolation Level or explicit Row Locking.

-- PostgreSQL / MySQL
BEGIN;
SELECT * FROM users WHERE id = 1 FOR UPDATE; -- Locks the row
-- Check coupon usage
-- Apply coupon
UPDATE users SET coupon_used = true WHERE id = 1;
COMMIT;

In Prisma/ORM terms, use $transaction with interactive isolation if possible, or use a Mutex in Redis if dealing with distributed counters.

Vulnerability 3: Supply Chain Attacks

In 2025, you write 10% of your code. The other 90% comes from node_modules. Hackers have stopped attacking your server; they attack your dependencies. They publish a package like lodash-utils (typosquatting) or compromise a popular package maintainer’s account.

Defense in Depth:

Lockfiles: Always commit package-lock.json. It ensures exact versions.
CI Audits: Run npm audit --audit-level=high in your build pipeline. Fail the build if criticals are found.
Modern Tools: Use Socket.dev or Snyk. They analyze the behavior of the package (“Why does this CSS library need Network Access?”).

Vulnerability 4: NoSQL Injection

Everyone knows about SQL Injection. But if you use MongoDB, you are not immune. MongoDB allows query objects. If you accept raw JSON from the client: db.users.find({ username: req.body.username }).

The Attack: User sends JSON: { "username": { "$gt": "" } }. This translates to: “Find users where username is greater than empty string.” This matches everyone. The attacker logs in as the first admin user.

The Fix: Sanitize inputs. Never pass req.body directly to a database query. Use libraries like zod to validate structure (ensure username is a string, not an object).

import { z } from 'zod';

const LoginSchema = z.object({
  username: z.string(), // Rejects objects like { $gt: "" }
  password: z.string()
});

const body = LoginSchema.parse(req.body); // Throws if invalid

The Red Team Exercise

At Maison Code, we recommend a Quarterly Red Team exercise. We designate 2 engineers who are allowed to attack the Staging environment.

They try to bypass payment.
They try to escalate privileges.
They try to access other users’ data.

This “Gamification” of security creates a culture where developers are proud of finding holes, rather than ashamed.

10. Bug Bounty Programs (Hackers as Employees)

You cannot hire enough security engineers. But you can rent the world’s hackers. We help clients launch on HackerOne or Bugcrowd.

Policy: “If you find a P1 (Critical), we pay $5,000.”
Result: Within 24 hours, 500 researchers will probe your site. They will find things your $100k scanner missed. “I found a way to bypass 2FA by removing the token parameter.” Paying $5,000 for that finding is cheaper than a $5M GDPR fine.

Your firewall is strong. Your receptionist is nice. Hackers know this. Phishing Simulation: We send fake emails to your employees. “Urgent: CEO needs wire transfer.” If they click, they get enrolled in training. Physical Security: Can I walk into your office effectively? Security is not just code; it’s people.

12. Cloud Security Posture Management (CSPM)

You secured the code. But did you leave the S3 bucket open? CSPM tools (Wiz, Orca) scan your AWS environment. “Alert: RDS Database port 5432 is open to 0.0.0.0/0”. This is not a code bug. It’s a config bug. We treat Infrastructure as Code (Terraform) as a security boundary. checkov runs in our CI pipeline to block any commit that opens a security group to the world.

13. Secret Scanning (The Git History Problem)

You accidentally committed AWS_SECRET_KEY in 2021. You deleted it in the next commit. It is still in the .git history. Hackers clone your repo and look at the log. We use TruffleHog or GitGuardian to scan the entire commit history. If a secret is found, we rotate it immediately. Revoking the key is the only fix.

14. Conclusion

Security is not a product you buy. It is a mindset. If you think “I am too small to be hacked,” you are wrong. Bots scan every IP address on the internet constantly. They don’t care if you are a Fortune 500 or a blog; if you have a vulnerability, they will exploit it to mine crypto or send spam.

Treat your application like a fortress. Audit every gate. Trust no one.

**[Hire our Architects](/contact)**.